In recent years I have noticed that a good number of sites resolve their names to DNS address records with a short TTL, like 60 seconds or less, and changing every time. Looks like attempts at load-balancing to me.
I use network segmentation a lot and so I have a number of aliases in my firewall rules to keep things crisp. Using these names however, means that the address of those sites has changed when clients on my network resolve them as compared to the time the alias was last refreshed and so the firewall rules block the traffic.
Of course I can refresh the aliases very frequently to reduce the chances of reaching TTLs before refreshing aliases but that seems to be a big waste to me. Instead, it would be best to refresh aliases based on the TTL of the DNS responses. Is there a way to achieve this in OPNsense?
Other than that, dnsmasq has a feature to run scripts based on the response record it receives. So, technically, one could write a script adding pf rules based on DNS resonses. But that looks like a security incident waiting to happen to me, even when restricted to DNSsec.
So, how do you folks deal with this kind of situation?
Hello guys , I`m trying to assign 2 public IPs which I get from my cloud provider into the same WAN nic. The problem I get is this, on the interface of the VM which runs on PROXMOX I get two IPs but both are the same while in the config.xml the configuration looks good I get both IPs in different sections of wan (wan and wan1) and I can use only 1 of them to connect into the GUI. In the other hand inside the OPNsense GUI I can see the two WANs which in the settings I can see the IPs I got from the cloud provider. Any suggestions of what the problem is? Adding images if I didn`t clarify my self enough.
« Last post by cookiemonster onToday at 03:27:57 pm »
Indeed is a timing exercise. There are different ways depending on what you have, and the order will be also dependent. For instance if you could have one port in OPN that can be left as management port, that is one way. If that is not available, I did first my ports plan on the switch (I drew it for myself). Once ready I did OPN. First time I locked myself out and had to reset the switch to defaults. I'll see if I can dig out my post about it. I went from mixed traffic to the "correct way". Maybe you could approach it that way.
« Last post by the1corrupted onToday at 02:54:10 pm »
I solved the problem.
The script didn't have execute permissions, and was getting "permission denied" during startup. chmod +x /usr/local/etc/rc.syshook.d/early/99-opnatt fixed the boot time issues.
Because of the failed boots, it was using fall back WAN interface (which doesn't work). Re-bind WAN interface to ngeth0, reboot again, and now it's working.
« Last post by paul199513 onToday at 02:46:56 pm »
Hallo zusammen,
ich habe zwei Firewalls. Bei der einen taucht der Fehler auf, dass ich einen Portscan auf den Graylogserver nur erfolgreich vornehmen kann, wenn ich als Source-Adresse die Firewall LAN Adresse nehme. Wenn ich das Feld leer lasse, funktioniert die Verbindung nicht. Bei der anderen Firewall erhalte ich den Fehler, dass dass der Austeller des SSL Zertifikates (Wildcard Zertifikat) nicht ermittelt werden kann. Für das Webinterface funktioniert das SSL Zertifikat ohne Probleme.